- Using the LocalSystem Account as a Service Logon Account
- How to Run a Program as SYSTEM (LocalSystem) Account in Windows
- Method to run a program under the SYSTEM account:
- How to Run Programs as SYSTEM (LocalSystem account)
- Using PsExec.exe from Windows Sysinternals
- Using Advanced Run from Nirsoft
- Run as SYSTEM via the right-click menu
- Using Process Hacker
- Using NirCmd.exe from NirSoft
- Context menu implementation
- Using RunAsSystem from Uwe Sieber
- Context menu implementation
- Using “NSudo” from M2Team
- NSudo: Command-line support
- Context menu addition
- One small request: If you liked this post, please share this?
- About the author
- 2 thoughts on “How to Run a Program as SYSTEM (LocalSystem) Account in Windows”
- Windows service: Listening on socket while running as LocalSystem
- Why running a service as Local System is bad on windows?
- 5 Answers 5
Using the LocalSystem Account as a Service Logon Account
One advantage of running under the LocalSystem account is that the service has complete unrestricted access to local resources. This is also the disadvantage of LocalSystem because a LocalSystem service can do things that would bring down the entire system. In particular, a service running as LocalSystem on a domain controller (DC) has unrestricted access to Active Directory Domain Services. This means that bugs in the service, or security attacks on the service, can damage the system or, if the service is on a DC, damage the entire enterprise network.
For these reasons, domain administrators at sensitive installations will be cautious about allowing services to run as LocalSystem. In fact, they may have policies against it, especially on DCs. If your service must run as LocalSystem, the documentation for your service should justify to domain administrators the reasons for granting the service the right to run at elevated privileges. Services should never run as LocalSystem on a domain controller. For more information and a code example that shows how a service or service installer can determine if it is running on a domain controller, see Testing Whether Running on a Domain Controller.
When a service runs under the LocalSystem account on a computer that is a domain member, the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member. Be aware that in WindowsВ 2000, a domain computer account is a service principal, similar to a user account. This means that a computer account can be in a security group, and an ACE in a security descriptor can grant access to a computer account. Be aware that adding computer accounts to groups is not recommended for two reasons:
- Computer accounts are subject to deletion and re-creation if the computer leaves and then rejoins the domain.
- If you add a computer account to a group, all services running as LocalSystem on that computer are permitted the access rights of the group. This is because all LocalSystem services share the computer account of their host server. For this reason, it is particularly important that computer accounts not be made members of any domain administrator groups.
Computer accounts typically have few privileges and do not belong to groups. The default ACL protection in Active Directory Domain Services permits minimal access for computer accounts. Consequently, services running as LocalSystem, on computers other than DCs, have only minimal access to Active Directory Domain Services.
If your service runs under LocalSystem, you must test your service on a member server to ensure that your service has sufficient rights to read/write to Active Directory Domain Controllers. A domain controller should not be the only Windows computer on which you test your service. Be aware that a service running under LocalSystem on a Windows domain controller has complete access to Active Directory Domain Services and that a member server runs in the context of the computer account which has substantially fewer rights.
How to Run a Program as SYSTEM (LocalSystem) Account in Windows
Many Windows system files, registry keys, and services are owned by the SYSTEM (a.k.a LocalSystem) account, which has a high privilege level. If you need to modify a registry key owned by the SYSTEM account, there are at least two options.
The first option that comes to your mind is to take ownership of the corresponding registry key, assign yourself Full Control permissions. Once the registry key or the values are updated, revert the permissions and ownership to SYSTEM .
There is, however, an easier option. You can run the program — e.g., the Command Prompt or the Registry Editor under the SYSTEM account directly and update the registry values.
This article lists six different methods using which you can run programs under the SYSTEM or LocalSystem account in any version of Windows, including Windows 10. You can also add a Run as SYSTEM right-click menu option for .exe files.
Method to run a program under the SYSTEM account:
Before proceeding, understand that the terms SYSTEM , LocalSystem , and NT AUTHORITY\SYSTEM are one and the same.
How to Run Programs as SYSTEM (LocalSystem account)
To run a program under the SYSTEM account, use one of the following tools:
Using PsExec.exe from Windows Sysinternals
Use PsExec.exe console tool from Microsoft’s Windows Sysinternals to run a program under the SYSTEM context. Follow these instructions:
- Download PsExec from Microsoft Sysinternals.
- Unzip and extract the tool to a permanent folder — e.g., d:\tools
- Open an elevated or admin Command Prompt window.
- To start the Registry Editor under the SYSTEM account, type the following command, and press ENTER :
The above PsExec command-line starts the Registry Editor under LOCALSYSTEM account so that you can modify protected areas in the registry.
Note: If you launch Command Prompt ( cmd.exe ) using PsExec.exe under the SYSTEM account, it spawns a new Command Prompt window. And, any program you launch from that Command Prompt window would run under the SYSTEM (LocalSystem) account, which is a high privileged account. You must be cautious when running programs under the SYSTEM account so that you don’t accidentally run an undesired program as SYSTEM .
Using Advanced Run from Nirsoft
AdvancedRun is a simple tool for Windows that allows you to run a program with different settings that you choose, including – low or high priority, start directory, main window state (Minimized/Maximized), run the program with different user or permissions, Operating system compatibility settings, and environment variables. You can also save the desired settings into a configuration file and then run the program automatically from the command-line with the desired settings.
Using Advanced Run, you also launch a program under SYSTEM or a different user context.
Type in the program name to run and choose SYSTEM user in the Run As dropdown box, and click Run.
You can also create a desktop shortcut to run a program as SYSTEM. Here is the command-line syntax you use:
/RunAs 4 instructs to start the program under the LocalSystem account. The possible value data for the /RunAs switch are below:
- 1 – Run as current user (elevate)
- 2 – Run as current user (no elevation)
- 3 – Run as Administrator (force elevation)
- 4 – Run as SYSTEM
- 8 – Run as TrustedInstaller
This starts the program under the LocalSystem account, which you can verify in the Task Manager Details tab.
Run as SYSTEM via the right-click menu
To launch a program under the SYSTEM account (with Advanced Run) from the right-click context menu, make a .reg file from the following contents and run the file.
Change the path to AdvancedRun.exe in the .reg file if necessary.
This adds the Run as SYSTEM command to the right-click menu for .exe files and its shortcuts.
Using Process Hacker
Process Hacker is an excellent process manager that looks similar to Sysinternals Process Explorer. This tool has a unique feature that allows you to launch a program under the same account as a running process or service.
- Run Process Hacker as administrator.
- Locate a program or service which is currently running under NT AUTHORITY\SYSTEM .
- Right-click on the process, click Miscellaneous, and click Run as this user…
Now the program (e.g., cmd.exe) would run as SYSTEM ( NT AUTHORITY\SYSTEM )
The above method can also be used to launch any program under TrustedInstaller.
Using NirCmd.exe from NirSoft
NirCmd is a multipurpose command-line tool which we’ve covered in this site before. 
report this ad
NirCmd can start a program elevated as well as launch it under the SYSTEM account.
Use this command-line to start the Registry Editor elevated and under the SYSTEM account:
Context menu implementation
Make a .reg file from the following contents and run the file.
Using RunAsSystem from Uwe Sieber
RunAsSystem (from Uwe Sieber) is a console tool that launches a program under the SYSTEM account or context. It also passes the window style and its process priority to the executed process by default. You can override the window size as well as the child process priority using command-line arguments. Uwe Sieber is the one who developed the famous USB Drive Letter Manager program.
It waits for the started process to end and then passes back its return code (aka errorlevel). However, in a batch file, you have to add start /wait .
Usage:
Examples:
Context menu implementation
Make a .reg file from the following contents and run the file.
The above .reg file adds a Run as SYSTEM command in the right-click menu for .exe files. The .reg file assumes that the file RunAsSystem.exe is placed under the d:\tools folder. If not, alter the path accordingly in the .reg file.
Using “NSudo” from M2Team
NSudo (GitHub) is a similar portable utility like Advanced Run, except that it is not digitally signed. It can launch programs under SYSTEM, Current User, Current Process, or the TrustedInstaller account. We’ve earlier seen how to use NSudo to launch programs as TrustedInstaller.
Select the mode (System) from the dropdown, type in the executable path, and click Run.
Optionally, you can also add a predefined set of programs or commands in the Open: drop-down list box by editing the file named NSudo.json located in the same folder as the executable.
To run a program under the SYSTEM context using NSudo command-line, use this syntax:
See below for the full list of command-line arguments supported by this utility.
NSudo: Command-line support
Context menu addition
- Run NSudo with -Install parameter. It copies NSudo to the Windows directory and adds the context menu.
- To remove the context menu, run NSudo with the -Uninstall parameter. It removes NSudo from the Windows directory and the context menu.
Editor’s Pick: Advanced Run for GUI (and CLI), and PsExec for CLI.
One small request: If you liked this post, please share this?
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.
Microsoft → Windows → How to Run a Program as SYSTEM (LocalSystem) Account in Windows
2 thoughts on “How to Run a Program as SYSTEM (LocalSystem) Account in Windows”
This is a really useful article and information. Thank you for that!
I use this feature at the login screen by renaming a few files while Windows is offline. While this is a handy feature for technicians like myself, shouldn’t this be a security issue that Microsoft addresses?
Windows service: Listening on socket while running as LocalSystem
I’m writing a small server-like program in C for Windows (using MinGW/GCC, testing on Windows 7) which is eventually supposed to run as a service with the LocalSystem account. I am creating a socket, and using Windows Sockets bind() , listen() and accept() to listen for incoming connections. If I run the application from the command line (i.e. not as a service, but as a normal user), I have no problems connecting to it from external IPs. However, if I run the program as a service with the LocalSystem account, I can only connect to the service from my own PC, either with 127.0.0.1 or my local address, 192.168.1.80 (I’m behind a router in a small local network). Neither external IPs nor other PCs in the same local network, using my local address, can connect now, even though there were no problems without running as a service.
Now, I’ve heard that networking is handled differently or even not accessible (?) when running as LocalSystem or LocalService or that services cannot access both the desktop and the network (note: my service is not interactive) at the same time due to security considerations. Essentially, I need to find out what’s going wrong/how to listen for connections in a service. Is running as NetworkService the same as running as LocalSystem, but with network access? Surely there must be servers that can run as background services, so how do they do it?
UPDATE: It seems that the suggestions to turn off the firewall were on the right track – I can get a connection after adding an exception in the Windows Firewall. I guess I wasn’t thinking about the firewall because when you run an application using sockets normally, you get a prompt asking to add an exception, which doesn’t happen when a service is run for the first time. Is there a better way to handle this than adding the rule to the firewall manually? Does LocalSystem have the privileges to add a rule to the firewall itself or would I have to do this during installation somehow?
Why running a service as Local System is bad on windows?
I am trying to find out the difference between difference service account types. I tumbled upon this question.
The answer was because it has powerful access to local resources, and Network Service should be used if possible.
But still I am not able to understand that if it has powerful access to local resources, how attacker can access the account? What are the ways to compromise the account? I understood it is all about security, but I don’t know how. It could be dark hacker’s world, however anybody could explain, in simple terms, why network service account is better than local account ?
Thanks in advance.
5 Answers 5
Every program you run increases the attack surface of your server.
You have to assume that a determined, malicious actor can exploit bugs or loopholes in your program to make it do anything. You mitigate that by executing your programs with the least privileges required to do their jobs.
Some of these exploits include:
Luring attacks, in which an attacker tricks your program into executing their code under the program’s elevated privileges.
Buffer Overrun Attacks, in which extra data sent to a method is written into adjacent memory, which may be the target of control flow logic.
Man in the Middle attacks, where an attacker falsifies messages to your program.
Often, a given service isn’t obviously vulnerable to any of these. Running under network service (or another account with reduced permissions) is a ‘better safe than sorry’ strategy that acknowledges two important facts of software development: programmers are fallible and attackers are inventive.
The LocalSystem account is the Windows equivilant of the *nix root account. It’s even more privileged than an administrator account. When you run as LocalSystem, you have full access to every resource on the machine.
As others have written, you should write your code to run with the least possible privileges.
The primary difference between LocalService and NetworkService is that services running as NetworkService have the ability to authenticate to other machines in the domain (as the machine account I believe).
Please note that the LocalService and NetworkService accounts both have the «Impersonate» privilege which is a potentially dangerous privilege — it allows the service to impersonate the user who is calling into the service. If that user is an administrator, then even though your code is running in a low privileged service, it can do anything that the administrator does. If an attacker can exploit a buffer overflow in your least privilege service, they can hook out the APIs you use to impersonate your caller and wait until a high privileged caller calls into your service. This technique is known as «Token Kidnapping» and the MSRC has a great blog post describing the issue (and contains links that describe how to mitigate many of the other risks associated with using LocalService and NetworkService accounts).
